Thanks for the comments, responses inline: On Fri, Nov 18, 2022 at 4:49 AM Ilari Liusvaara <[email protected]> wrote:
> On Fri, Nov 18, 2022 at 09:08:53AM +0000, Hannes Tschofenig wrote: > > > > If you talk about "nasty combinatorial explosion" then you need to > > explain how "nasty" it is, i.e. what the potential number of > > combinations we could have. In practice, none of these algorithm > > combinations have been bad in the past since most people are > > interested only in a small number of combination rather than anything > > that is theoretically possible (see TLS ciphersuites). > > Currently, there are 45 (60) possible combinations. And that increases > rapidly if HPKE adds anything new: A reasonable set of additions (CP-*, > X25519+Kyber768, plus SHA-3 KDF) would push that to 108 (144). > > Dropping PQC Composite scheme on this argument seems like a pretty low blow : ) The numbers in parenthesis are if exporters are also considered (needed > for JOSE, but not COSE). > > > Yes, many of those combinations make little sense, but the problems > are to pick those combinations that make sense (some of which are not > obvious). Each added HPKE algorithm would be fair amount of work for > the WG. And secondarily, ciphersuites are difficult to configure. > > Why would the WG bother to register combinations that nobody wants to use or is using? If we don't register those combinations, how big is this "explosion" really going to be? Currently, I count 12 (17) combinations that I think make sense (but > I might be missing some). A reasonable set of additions would bring > that to 22 (31). > > > And the main problem with TLS ciphersuites is that it is _not_ > "everything possible". There are gaps, either due to some combination > just not having a ciphersuite, or such ciphersuite existing, but client > not advertising it. And handling that is very difficult, with most > implementations being buggy. > > Are you arguing that COSE / JOSE should register everything here? or that a client should implement everything that is in the registry? or that basing COSE / JOSE on TLS decisions is a mistake? > > And on TLS, there is TLS ECH, which uses HPKE in way somewhat similar > to COSE-HPKE. It does reuse the HPKE registeries instead of defining > its own codepoints (however, it does combine KDF with AEAD, which I > do not think is a good idea, KDF should combine with KEM if it is > combined with anything). > > > Can someone who supported the decision to combine KDF and AEAD comment on why that was a "good idea" ? > > -Ilari > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
